Generally Pen Test should be a "time based" activity.
You define targets, goals and TIME within achieve these goals.
Once TIME is defined, with the client, you get the price.
Skills are not part of the pricing model: skills affect TIME and goals.
My 2 cents
Chris Stromblad ha scritto:
Hi list,
Those of you who work with this professionally, what sort of pricing
model do you use? How do you assess what should be charged for the test?
Considering the fact that there are many types of pen-tests and all have
different scope. I'm having a hard time figuring out if the prices that
has been given to me are reasonable.
Say I were to give you one of the following scenarios, what would you
charge (roughly):
1. "Black box with shades of gray", 2 /24 networks, not all devices are
active. External scan.
2. Internal scan, only devices
3. Internal scan, procedures, physical security and devices
I know this question is somewhat difficult to answer, because there is
no correct answer, but any advice is welcome.
Cheers,
Chris
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
Davide Carnevali
CEO
Protechta - Information Security
OPST, CCSP
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/
e-mail: davide@protechta.it
Disclaimer: http://www.protechta.it/disclaimer
------------------------------------------------------------------------
Chi riceve il presente messaggio e' tenuto a verificare se lo stesso
non gli sia pervenuto per errore. In tal caso e` pregato di avvisare
immediatamente il mittente e, tenuto conto delle responsabilita'
connesse all'indebito utilizzo e/o divulgazione del messaggio e/o
delle informazioni in esso contenute, voglia cancellare l'originale
e distruggere le varie copie o stampe.
The receiver of this message is required to check if he/she has received
it erroneously. If so, the receiver is requested to immediately
inform the sender and - in consideration of the responsibilities arising
from undue use and/or disclosure of the message and/or the information
contained therein - destroy the original message and any copy or printout
thereof.
-------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|